Pierluigi Paganini
December 13, 2017
The malware was disguised as seemingly legitimate apps “Crypto Monitor”, a cryptocurrency price tracking app, and “StorySaver”, a third-party tool for downloading stories from Instagram.
The malicious code is able to display fake notifications and login forms on the infected device to harvest login credentials used to access legitimate banking applications. The code is also able to intercept SMS messages to bypass two-factor authentication used by the financial institutions.
The same malware was discovered by experts at security firm RiskIQ in November.
According to researchers from ESET, the “Crypto Monitor” app was uploaded to the Play store on November 25 by the developer walltestudio, while the “StorySaver” app was uploaded by the developer kirillsamsonov45 on November 29.
“Together, the apps had reached between 1000 and 5000 downloads at the time we reported them to Google on December 4. Both apps have since been removed from the store.” states the analysis published by ESET.
When the user launches the malicious apps, they compare the apps installed on the infected device against a list of fourteen apps used by Polish banks and once found one of them, the malicious code can display fake login forms imitating those of the targeted legitimate apps.
| App name | Package name |
| Alior Mobile | com.comarch.mobile |
| BZWBK24 mobile | pl.bzwbk.bzwbk24 |
| Getin Mobile | com.getingroup.mobilebanking |
| IKO | pl.pkobp.iko |
| Moje ING mobile | pl.ing.mojeing |
| Bank Millennium | wit.android.bcpBankingApp.millenniumPL |
| mBank PL | pl.mbank |
| BusinessPro | pl.bph |
| Nest Bank | pl.fmbank.smart |
| Bank Pekao | eu.eleader.mobilebanking.pekao |
| PekaoBiznes24 | eu.eleader.mobilebanking.pekao.firm |
| plusbank24 | eu.eleader.mobilebanking.invest |
| Mobile Bank | eu.eleader.mobilebanking.raiffeisen |
| Citi Handlowy | com.konylabs.cbplpat |
In some cases the fake login form is displayed to the user only after he clicks on a fake notification presented by the malware imitated the ones used by the targeted bank app.
“ESET’s security systems detect the threat as Android/Spy.Banker.QL and prevent it from getting installed.” states ESET.
“ESET telemetry shows that 96% of the detections come from Poland (the remaining 4% from Austria), apparently due to local social engineering campaigns propagating the malicious apps.”
The experts noticed that it is very easy to remove the malicious apps by going to Settings > (General) > Application manager/Apps, searching for the malicious apps and uninstalling them.
“To avoid falling prey to mobile malware in the future, make sure to always check app ratings and reviews, pay attention to what permissions you grant to apps, and use a reputable mobile security solution to detect and block latest threats.” concluded ESET.
ESET, who credited Witold Precikowski for the discovery, included the IoCs for this specific threat in its report.
| [adrotate banner=”9″] | [adrotate banner=”12″] |
(Security Affairs – banking Trojan, malware)
[adrotate banner=”5″]
[adrotate banner=”13″]
APT / November 18, 2024
